IETF Logo Mail Archive

Re: [Emu] Adoption call for EAP-DPP

"Owen Friel (ofriel)" <ofriel@cisco.com> Fri, 16 September 2022 13:12 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3931EC180A93 for <emu@ietfa.amsl.com>; Fri, 16 Sep 2022 06:12:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.607
X-Spam-Level:
X-Spam-Status: No, score=-14.607 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=joSAMwGR; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=UD3vLWeL
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eztt3gL5jtmO for <emu@ietfa.amsl.com>; Fri, 16 Sep 2022 06:12:22 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 947F7C180A90 for <emu@ietf.org>; Fri, 16 Sep 2022 06:12:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2646; q=dns/txt; s=iport; t=1663333942; x=1664543542; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=0UCJGwiCys++dKfl8iMPu2ASvJjrmtQJxTmICEBdTYM=; b=joSAMwGRtxRsbIkFt+HlOTFv8oqvbF2pwVMgrFELwfH+MPth1hBenqp7 bzw+pvJoVS+eC2vlU+AW5LAto9X6MOrc6VlCFDObBXzklFV/DodEng0Zu NbnCCoBzNTPytzzFUEobmJ7xpFGB+MeNwN403cLyZPLA2PJK4ASbEVB2G w=;
IronPort-PHdr: A9a23:8wa0IxRZMZRBnwhvcWGyn7nSjtpso7vLVj580XJvo75Nc6H2+ZPkMQSf4Ph2l1bGUM3d7O4MkOvZta3sGAliqZaMuXwPatpAAhkCj8hFkwkpGsXQD0r9IbbjZDA7G8IXUlhj8jm7PEFZFdy4aUfVpyi57CUZHVP0Mg8mTtk=
IronPort-Data: A9a23:ChNPHaz17mliMP6TLR16t+cPxCrEfRIJ4+MujC+fZmUNrF6WrkVVyTYbDG7QbK3YM2v3eN1+aNu08U0C6J7Vz4VlTwRtqFhgHilAwSbn6Xt1DatR0xt/paQvdWo/hyklQoSGfZlcokP0/E/3aOC89CckjMlke5KlYAL6EnEpLeNbYH9JZSJLw4bVs6Yw6TSLK1rlVeDa+6UzDGSYNwtcaQr43U4sRCRH55wesBtA1rA3iGsiUFX2zxH5B7pHTU29wueRf2VaIgK6b76rILCR5GjV+VImDcmo1+q9eUwRSbmUNg+L4pZUc/H92V4Z+WpjieBiaad0hUR/011lm/h2xs9MuJiYQgYyNaqKk+MYO/VdO3gmY/Ecp+eecSHXXcu7iheun2HX6/hrEWk3MJEWvOFtDglm7fEEJSolZxOKlua/hrm8T4FEg885b8jmII03oXhmwTzdCP8gB5vKK5gmT/cwMCwYnMtCG7PVYNAULGYpZxXbaBoJMVASYK/SVdyA3hHXGwC0YnrMzUbv31Xu8Q==
IronPort-HdrOrdr: A9a23:Sq1+YqvZvmGHQh7JllobiuS37skCy4Mji2hC6mlwRA09TyXGra6TdaUguiMc1gx8ZJh5o6H8BEDyewKhyXcT2/hdAV7CZnithILMFuBfBOTZskTd8kHFh4xgPOJbAtJD4b7LfBRHZKTBkXGF+r8bqbHtms3J9ITjJjVWPHpXgspbnmNE43OgYytLrX59dP0E/fSnl696jgvlXU5SQtWwB3EDUeSGjcbMjojabRkPAANiwBWSjBuzgYSKXCSw71M7aXdi0L0i+W/Kn0jS/aO4qcy2zRfayiv684lWot380dFObfb8xPT9aw+cyzpAVr4RGIFqjwpF4t1HL2xa1eUkli1Qf/ibLUmhOl1d7yGdnDUImwxelEMKgWXo/0cL5/aJAg7Tz6F69Npkmtyz0Tt4gDg06tM740uJ85VQFh/OhyL7+pzBUAxrjFO9pT44nfcUlGE3a/pWVFZ9l/1pwKpuKuZ3IAvqrIQ8VOV+BsDV4/hbNVuccnDCp2FqhNihRG46EBuKSlUL/pX96UkcoFlpi08DgMAPlHYJ85wwD5FC+uTfK6xt0LVDVNUfY65xDPoIBcG3FmvOSxTRN3/6GyWuKIgXf3bW75Ln6rQ84++nPJQO0ZspgZzEFEhVsGYjEnieffFmHKc7hywlbF/NLwgFkPsul6SRkoeMN4bWDQ==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0B1AAB2bIJi/5tdJa1QAQkdAQEBAQkBEgEFBQFAgTsIAQsBgVFSB3UCWDlDiBoDhFJfhQldgiUDmziBLIElA1QLAQEBDQEBOQkEAQGCDoJ0AoU+AiU0CQ4BAgQBAQESAQEFAQEBAgEHBIEJE4VoDYZCAQEBAQMSCx0GAQE4CwQCAQgRBAEBHxAyHQgCBAESCBqCXIJjAzEBDp9nAYE+AoofeIEzgQGCCAEBBgQEgU1Bgn8YgjgDBoE8AYMThzGEGyccgUlEgRVDgmc+gmIBAQIBgTABFBqEC4IulWc7A1SBBRKBIXEBCAYGBwoFMgYCDBgUBAITEk0GHgITDAoGFg5CEhkMDwMSAxEBBwILEggVLAgDAgMIAwIDLgIDGAkHCgMdCAocEhAUAgQTHwsIAxofLQkCBA4DQwgLCgMRBAMTGAsWCBAEBgMJLw0oCwMFDw8BBgMGAgUFAQMgAxQDBScHAyEHCyYNDQQcBx0DAwUmAwICGwcCAgMCBhcGAgIZWAooDQgECAQYBB4lEwUCBzEFBC8CHgQFBhEJAhYCBgQFAgQEFgICEggCCCcbBxY2GQEFXQYLCSMWBiwLBgUGFgMmUgUEHwGSWYMdCIEeKk5NAQNDDgIidgKBEkuta5J7CoNMixqVDBWDdZMckUaWZiCNB5QchTsCBAIEBQIOAQEGgWE8gVlwFYMjURkPjiCDcoUUhUp1AjkCBgsBAQMJkRoBAQ
X-IronPort-AV: E=Sophos;i="5.91,230,1647302400"; d="scan'208";a="1064270181"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 16 Sep 2022 13:12:21 +0000
Received: from mail.cisco.com (xfe-aln-002.cisco.com [173.37.135.122]) by rcdn-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 28GDCLCc021939 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Fri, 16 Sep 2022 13:12:21 GMT
Received: from xfe-rcd-004.cisco.com (173.37.227.252) by xfe-aln-002.cisco.com (173.37.135.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Fri, 16 Sep 2022 08:12:21 -0500
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-004.cisco.com (173.37.227.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9 via Frontend Transport; Fri, 16 Sep 2022 08:12:21 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l0G/B+3V7wMar/jnMRmbj50yr37cYE5yOUnPIWX6ltvmfsWylMzBOJLp5TDiNE+bTTymz/jEfB47QnLopmhK+V740gWxuypdYtFDLfGTm+bMIWBVozNl7h4fm1lfNMFZp/W5B8I+zobIOE8KJU2ZCbfep0hjT/WCB/hewIPpiO0V+WOFmKtTaHv4tn6gP53A37nFFkqetAfRncuRhIqWEEFqErnDs/qRXTHWLAr5kgfLKEq13oGPap5My6hEAVPauHHcNbYvaDA5WJX2w+3VVHIrZEB3egjxlghQ7f6DtVbs1Cw09EIrRQ7ZWhvNr7FK1LVLrJjBzJRBEwmkwXx70A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ax6FNJljMI0O9LXcoEb5gPtM/pMKYW4i10jnR/I8/NA=; b=Ac/7SbBU9aZ6yJh8Bp3gKle7Z9370BdUKN0K86M3tddaDOWyezPlz8ACyjanpNPBxEKSYm/K5iHZCPxy3n4jYy7oF0+B0pKk67b5ybG0UETPmDCc5U3d7Wh7FK49S6v1ire/EYEwT2jVom9irFDuHjiHQkUub6HI2yrwCDYUb8ug5OsQBIIjXgKdVeVmkKnw3GQivTRcIMk7At9BwlXsX3DJVaEHEsSsiuCb6tfHC3AeN55+NvMni/P8GOEAGplHYAiKP5iM7t9AOS3JBtzUAhKBPq2vvHyekZMOehF/0yXdk7D3R/RXMIxJVfFTuSDS8WpwxmS2ddMzPUysQvWBGw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ax6FNJljMI0O9LXcoEb5gPtM/pMKYW4i10jnR/I8/NA=; b=UD3vLWeLoldX2NxXrxswWZ4MK+hEKCv00kdNVE9JW4mApBpB3wAu720DxnyN72LXJGDcpU719A1Fp1Sc+labO2cBWYIhmineePbsWu+kyYuYyYjnQlPd7NZzJLyA2h4CFFjam5ZcmynSeHG62gfHQx5LXqPPgME9lDpIK9kkOwI=
Received: from DS0PR11MB6445.namprd11.prod.outlook.com (2603:10b6:8:c6::11) by PH7PR11MB6521.namprd11.prod.outlook.com (2603:10b6:510:213::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5632.16; Fri, 16 Sep 2022 13:12:19 +0000
Received: from DS0PR11MB6445.namprd11.prod.outlook.com ([fe80::e1ab:cc1c:7f9c:f4af]) by DS0PR11MB6445.namprd11.prod.outlook.com ([fe80::e1ab:cc1c:7f9c:f4af%5]) with mapi id 15.20.5612.022; Fri, 16 Sep 2022 13:12:19 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Peter Yee <peter@akayla.com>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Adoption call for EAP-DPP
Thread-Index: AQE8vAmkltaJdR3ZKwkzjSBCI9W7OK8NAivggAhJc4CABNOxwA==
Date: Fri, 16 Sep 2022 13:12:19 +0000
Message-ID: <DS0PR11MB64456AAFE26B8EF8894DF086DB489@DS0PR11MB6445.namprd11.prod.outlook.com>
References: <006a01d8c33f$89efa6d0$9dcef470$@akayla.com> <112784.1663067607@dooku>
In-Reply-To: <112784.1663067607@dooku>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DS0PR11MB6445:EE_|PH7PR11MB6521:EE_
x-ms-office365-filtering-correlation-id: f1dc167f-b916-4e92-06ba-08da97e515b8
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: w5Zl2v1NxDmW7urfyWLWGPfVCSiDVFnKpVfnDNxrwAk8MfXCnf7uL1Y7ZGE4qGFDiOM45fKeEwEPaORfMZkr6qEgC9OojYweLQkB+qcec4YZrDmL4anDEEJgg4NkyOtR/8g5oxIh6sX+k1VzIS3d/wrHQ5r4EtM8qHLONzbLFq2x/Pv6Z4BmBQeg/JKDpxmtSmbyN2DE84RnXWDBaTp4LK5gaIwBAjll9KvPj0FJgOHnlBEsjyfqTzx87MGmd/Kwy9J3HaG8jPzcGJrPZOmEfQ4DmOlz6enY2wkXg/hDq4fZ9VPMf5j6J+GdU23H9Jz3wx5XobhLlYVO2hNNc5FgA3ZoGqQiUx6TFPnDdra0wUTS50PN7q3ZwfH53viYbhdE5afBR5KeXfQxcBPOQ86sj5NRZ8b+WODce59qZWeM3QkuZYrmw/QNcuir1PctG8LlVw0uPKuEeY0ZYwzsG+sLAu9ahdAsW3DrMD8VyIPEsio2X7db3GUniFPbFni8ZvZwm1DLM5FZKSiO7jrcVTfrZGrsuGT8FLCmhUPWk+GRNZGt+fQ1ZetVWk2JgH6wBH3D64kE8diwBEGk70b3+st5MlL7FFF6nYm9oQRralCGabZ948s5Hqv1ay7ltJmCheQuV+OTdQSyp/dj5ZR7d2rDNZdI/4ERTIAUez1IJL/scLlOc1YxodNgc3sRQyUc4kcxgeYsqkJwpM3Wp/CI/QtHF2Gf10j5M4T+O7TVWSe+Ee3+dUTt6+n5SJWbPVcct79pGtJ8c/bG0ibiiIFcqqZ1rbPRRRccw5unklXuOLyJLc0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DS0PR11MB6445.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(136003)(376002)(39860400002)(396003)(346002)(366004)(451199015)(71200400001)(53546011)(6506007)(110136005)(38100700002)(966005)(122000001)(41300700001)(478600001)(7696005)(2906002)(33656002)(86362001)(55016003)(66946007)(66476007)(76116006)(66556008)(64756008)(66446008)(316002)(8676002)(52536014)(5660300002)(8936002)(38070700005)(186003)(83380400001)(9686003)(66899012); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: nnI5z1CRQkPBE43QQuvyrZ/Gd81xnlTIip/p0dxAzDZy3ajRjZaIiq65iOO29TwuHT5Lme0u4JPNqrK9AApEa+syqvh2lw2sRWCBZSxjFnONzgXzsuHKeyjprADnjUbTdwvxJovaIiKh6IqU9kt3je+zjyd5tA3F/7ZO1S57LRiY8qZ1yOugsbd8uPRXdpifwRSifiPrqMvohM/IbkDHeYqdvITzq+aU2EWRTxvjub6WJumEjUHxNmTQUTrMUf6n4/9sbeVVUS8fuPE+5eJVDNT+6i7sxikCqWJGIeKBr/GXMs7y0hjf9Sy/EMUfTvuiLvrvGDu1ZO18idKwodP0hW+sdTFCFcWWXFAmrUJH30UCJIBDazYBeDxcoOSvd2xl9hEKypk02U55/l9eWgITaiFn8/3wlGh4X3Lmgx9n4EcrKqC4wa5DeGh1ZqVFl6/EeosAVQZI4L6A8KZGHba4aPjVomfJy4r8M+TP6LrfPwvspC+CdcjlmRGmGVTQ24H3JKg06AfC2z7oNhja7rhpI1iu80aXKB/9vHqiV2nyFbk44+DWOGUr1ayx6Is8N1nTObrf7/by4qjn4Tbs24dpJyNv4AceXvog82dBFS8fB/AOhVAINGqICYQT+a5JAO7H90MrqIudtoovvO8aBx0kH3Kv0zWPrxKJ4hWQ3z4csPTc9XEilGIcIZ+CwpDR+2oSEYEzSzNzgCxxFwQOkZ2wb6/j1olh6qz4GrlpuQ9XssKfyOEuHzYZewEck9sj3WA6UGLm/0ksY2vR4bEN6+/ICQX1dQzTqTSSoNsZqRuhZ9W9QQHmWt61Xyk6KT35i67q2VYaQ/pmy+K7zaKHNAEJ686/5mcVttzppkh9SpVZ28AH4HlBbqIciQuQGvF9twF9GCKvlhRt94QUyfDj+6P8EyR0wS2vFtzWZBgsmM59F+PImls76k5e9+g6kZBABW5uwEDgbHIAVVtctAXslZgeOgF6/a17BlKlY7+gso+XibeONmQteZPL3dt8kPGr+kom++1Txkcm0UTk0ok+EYIHPeXBMk34+0jdDKJ/KDvDEnQDgnD01ASZbRZceex2xVDh23UyydciU5LmCeXrwe1jSe4kvwKMJ/5gz/68Bs7p5lfru5H2jCf12XKwQwqfRVzm0humMj1Uexjl1EcKJcGEitHvPdR2/t7VqSK98OSdFVB3VtRhCICpveIdmTifc7jLhQC5AxaubyVR2orRzmHxxRkUtU1UJyFAEmxRKb1vopFkuirbTV8bWdo36oQciBI3pEdh6vGxBU8cMkLgBobRj/bDFIBoBjcn1iWe7wPBb8tXYJc4XSA43/aqfmxw++fgg4uHBwNrkK2jyGveo4KcfdjTqvISv2Rl4eMEJohWuvyi+DVn5z8yza8GX14NHoT+B4B4trt6qriSOhToR9pCnm3/PXpvElevLyKyI2in2X4xixN6nVe1oNQrxnXvLCiTCCyZStDgVakz4xGvp5+PH9BSdlL1+8IBTvP44Aa9vkUxpB17fiddtH05TO1lANtnZCM1ufuVX6XH1H08lXnqITs0rYv3HyROlMBXJpOJxtDSyvRLq4NZH6HcIeGWr31Jad4S7q17/UcI6URAVb03YCbl9Vt7AZsqJXGR1ILeYEo=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB6445.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f1dc167f-b916-4e92-06ba-08da97e515b8
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Sep 2022 13:12:19.3408 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2u/coKI+w3a3gurJvXkLXWrNcTTABZG7Z7Zr4YPV3KMFOXKhbhhJxODAQoiWVl+hdRRlWu9M605P825fbcIbyA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR11MB6521
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.135.122, xfe-aln-002.cisco.com
X-Outbound-Node: rcdn-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/3oQr5nFzDxMQfKKDmcyJN1Zxbb8>
Subject: Re: [Emu] Adoption call for EAP-DPP
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2022 13:12:27 -0000

Thanks Michael.

Ok, we can look at a relay out and consider moving some of the EAP motivations in section 3 earlier in the document.

And agree, I think we can do a better job of linking the use of draft-ietf-tls-external-psk-importer to identify BSKs with the EAP handshake! We can fix that up in the next draft too.

Inline for more.

-----Original Message-----
From: Emu <emu-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: Tuesday 13 September 2022 12:13
To: Peter Yee <peter@akayla.com>; emu@ietf.org
Subject: Re: [Emu] Adoption call for EAP-DPP


I have read draft-friel-tls-eap-dpp-05.
I have no objection to the WG working on such a thing, but I think that there is actually quite a lot of work left to do.

I think that the section 3, which explains the EAP connection (and the motivation for the work) should probably come before the extension and the cryptographic explanation!

I find the document quite weak even in section 3.
I think that the EAP server (Authentication Server) is meant to use the OOB public key to authenticate the new device.

I'm rather vague as to how the Authentication Server knows what identity to use to look the public key up, and how the privacy of this identity is preserved.

[ofriel] the draft-ietf-tls-external-psk-importer external_identity is HKDF derived from the BSK public key as outlined in https://datatracker.ietf.org/doc/html/draft-friel-tls-eap-dpp-05#section-2.1. This is included in the ImportedIdentity struct which is serialized into PskIdentity.identity in the PSK extension, all as per draft-ietf-tls-external-psk-importer. Only a server that knows the raw/cleartext BSK public key can complete the TLS PSK handshake. 


Does the device get any indication that it has been plugged into the correct network?  Is there any authenticatin of the Authentication Server?

[ofriel] The device and server are afforded the same levels of identity guarantees and authentication as Wi-Fi DPP. The network gets a guarantee that the device connecting knows the BKS private key. The device gets a guarantee that the network knows its BSK public key. Similar to Wi-Fi Easy Connect / DPP, proof of knowledge of the BSK public key is proof of ownership of the device.



While I acknowledge you are not trying to implement BRSKI (RFC8995) or SZTP (RFC8572), it would be good if your Security Considerations addressed some of the same issues that those documents deal with.



--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email